Firebird Backdoor Tentatively Linked With Indian APT
The group of individuals known as DoNot Team has been connected to the deployment of a new .NET-based backdoor called Firebird, which has been directed at a limited number of targets in Pakistan and Afghanistan.
Cybersecurity researchers stated that the attack sequences are also set up to introduce a downloader named CSVtyrei, named as such due to its resemblance to Vtyrei. Certain sections of the provided code appeared to be non-operational, indicating ongoing development efforts.
Vtyrei (also known as BREEZESUGAR) refers to an initial payload and downloader strain that the threat actor had previously utilized to distribute a malware framework known as RTY.
DoNot Team, which also goes by the aliases APT-C-35, Origami Elephant, and SECTOR02, is believed to originate from India. Their attacks involve the use of spear-phishing emails and rogue Android apps to propagate malware.
The most recent evaluation by researchers expands on an examination of the dual attack campaigns by this threat actor in April 2023, where they deployed the Agent K11 and RTY frameworks.
ElizaRAT Used in Attacks on India
This disclosure comes in the wake of Zscaler ThreatLabz revealing new malicious activities undertaken by the Pakistan-based Transparent Tribe (also known as APT36). This group has been targeting sectors of the Indian government using an updated arsenal of malware, which includes a previously undocumented Windows trojan named ElizaRAT.
ElizaRAT is delivered as a .NET binary and establishes a communication channel through Telegram, allowing threat actors to gain complete control over the targeted endpoint.
Transparent Tribe, active since 2013, has utilized tactics like credential harvesting and malware distribution, often distributing tampered installers of Indian government applications such as Kavach multi-factor authentication. They have also weaponized open-source command-and-control (C2) frameworks like Mythic.
In a sign that this hacking group has turned its attention to Linux systems, Zscaler noted that they found a small set of desktop entry files that facilitate the execution of Python-based ELF binaries. These include GLOBSHELL for exfiltrating files and PYSHELLFOX for stealing session data from the Mozilla Firefox browser.